The patches are not at all completely installed. Windows users should be already quite cleared, thanks to the coordinated release of Microsoft patches at July 2008 MS patch Tuesday. According to several reports like the one generated by CERT.at (links here and here), the implementation situation on the real resolving nameservers is a bit on the weak side, mildly said. The patches available to BIND implementations are notfinal and have shown to have major performance problems especially on Solaris enviroment. So I fullyunderstand the ISP:s who are very concerned on their patch situation.

Why this vulnerability is so special? DNS is one of the fundamental services that makes Internet tick. It is the white pages of the ´net, binding all domain names to the related IP addresses. The ability to disturb this database - totally unnoticed by the end users - is really really nasty.

Just think of it:

Someone changes NS records of Google at a major ISP resolver stack. All Google-related traffic of the ISP customers (opening page of Firefox, Gmail etc) goes where the attacker wants. Hmm, a nice drive-by exploit code to Firefox opening page?

A major bank webbank A-record is redirected to Somewhere Else. How many webbank users type https:// at the browser URL line?

Need I say more?

I hope the ISP:s do their best to get their infrastructure protected. And good luck to ISC for their effortsin finding a complete solution at the BIND issues. The really challenging part is how to patch all SOHO NAT firewalls and WLAN boxes...this is one of the very first times when we need a patch the black box with blinking lights at the bottom of the cupboard. Globally.

It must be July. The mainstream press has been surprisingly quiet on this one.